Abstract
Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.
- D. G. Andersen. Mayday: Distributed filtering for internet services. In Proceedings of 4th Usenix Symposium on Internet Technologies and Systems, March 2003. Google ScholarDigital Library
- D. G. Andersen, H. Balakrishnan, M. F. Kaashoek, and R. Morris. Resilient Overlay Networks. In Proceedings of 18th ACM SOSP, October 2001. Google ScholarDigital Library
- T. Anderson, T. Roscoe, and D. Wetherall. Preventing internet denial-of-service with capabilities. In In Proceedings of HotNets II, November 2003.Google Scholar
- Arbor Networks. The Peakflow Platform. http://www.arbornetworks.com.Google Scholar
- T. Aura, P. Nikander, and J. Leiwo. DOS-Resistant Authentication with Client Puzzles. Lecture Notes in Computer Science, 2133, 2001. Google ScholarDigital Library
- S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University, March 2000.Google Scholar
- P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In In Proceedings of the 2nd ACM SIGCOMM Internet Measurement Workshop, November 2002. Google ScholarDigital Library
- BBN Technologies. Applications that participate in their own defense. http://www.bbn.com/infosec/apod.html.Google Scholar
- BBN Technologies. Intrusion tolerance by unpredictability and adaptation. http://www.bbn.com/infosec/itua.html.Google Scholar
- S. Bellovin, M. Leech, and T. Taylor. ICMP Traceback Messages. Internet draft, work in progress, October 2001.Google Scholar
- D. J. Bernstein. Syn cookies. http://cr.yp.to/syncookies.html.Google Scholar
- CERT CC. CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html.Google Scholar
- CERT CC. Code Red II. http://www.cert.org/incident_notes/IN-2001-09.html.Google Scholar
- CERT CC. Denial of Service Attacks. http://www.cert.org/tech_tips/denial_of_service.html.Google Scholar
- CERT CC. DoS using nameservers. http://www.cert.org/incident_notes/IN-2000-04.html.Google Scholar
- CERT CC. erkms and li0n worms. http://www.cert.org/incident_notes/IN-2001-03.html.Google Scholar
- CERT CC. Nimda worm. http://www.cert.org/advisories/CA-2001-26.html.Google Scholar
- CERT CC. Ramen worm. http://www.cert.org/incident_notes/IN-2001-01.html.Google Scholar
- CERT CC. Smurf attack. http://www.cert.org/advisories/CA-1998-01.html.Google Scholar
- CERT CC. TCP SYN flooding and IP spoofing attacks. http://www.cert.org/advisories/CA-1996-21.html.Google Scholar
- CERT CC. Trends in Denial of Service Attack Technology, October 2001. http://www.cert.org/archive/pdf/DoS_trends.pdf.Google Scholar
- Cisco. Strategies to protect against Distributed Denial of Service Attacks. http://www.cisco.com/warp/public/707/newsflash.html.Google Scholar
- Cs3. Inc. MANAnet DDoS White Papers. http://www.cs3-inc.com/mananet.html.Google Scholar
- T. Darmohray and R. Oliver. Hot spares for DDoS attacks. http://www.usenix.org/publications/login/2000-7/apropos.html.Google Scholar
- D. Dean, M. Franklin, and A. Stubblefield. An algebraic approach to IP Traceback. In Proceedings of the 2001 Network and Distributed System Security Symposium, February 2001.Google Scholar
- H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems. In Computer Networks, volume 31(8), pages 805--822, April 1999. Google ScholarDigital Library
- D. Dittrich. The DoS Project's trinoo distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/trinoo.analysis.Google Scholar
- D. Dittrich. The Tribe Flood Network distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/tfn.analysis.txt.Google Scholar
- D. Dittrich, G. Weaver, S. Dietrich, and N. Long. The mstream distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/ mstream.analysis.txt.Google Scholar
- P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing. RFC 2827, May 2000. Google ScholarDigital Library
- A. Garg and A. L. N. Reddy. Mitigation of DoS attacks through QoS Regulation. In Proceedings of IWQOS workshop, May 2002.Google ScholarCross Ref
- T. M. Gil and M. Poletto. MULTOPS: a data-structure for bandwidth attack detection. In Proceedings of 10th Usenix Security Symposium, August 2001. Google ScholarDigital Library
- K. Hafner and J. Markoff. Cyberpunk: Outlaws and hackers on the computer frontier. Simon & Schuster, 1991. Google ScholarDigital Library
- G. Hardin. The Tragedy of the Commons. Science, 162(1968):1243--1248, 1968.Google Scholar
- J. D. Howard. An analysis of security incidents on the Internet. PhD thesis, Carnegie Mellon University, August 1998. Google ScholarDigital Library
- J. D. Howard and T. A. Longstaff. A common language for computer security incidents.Google Scholar
- A. Hussain, J. Heidemann, and C. Papadopoulos. A Framework for Classifying Denial of Service Attack. In Proceedings of SIGCOMM 2003, 2003. Google ScholarDigital Library
- Information Sciences Institute. Dynabone. http://www.isi.edu/dynabone/.Google Scholar
- J. Ioannidis and S. M. Bellovin. Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of NDSS, February 2002.Google Scholar
- A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the 1999 Networks and distributed system security symposium, March 1999.Google Scholar
- F. Kargl, J. Maier, and M. Weber. Protecting web servers from distributed denial of service attacks. In Proceedings of 10th International World Wide Web Conference, May 2001. Google ScholarDigital Library
- A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of SIGCOMM 2002, 2002. Google ScholarDigital Library
- F. Lau, S. H. Rubin, M. H. Smith, and L. Trajkovic. Distributed Denial of Service Attacks. In IEEE International Conference on Systems, Man, and Cybernetics, pages 2275--2280, Nashville, TN, USA, October 2000.Google Scholar
- J. Leiwo, P. Nikander, and T. Aura. Towards network denial of service resistant protocols. In Proceedings of the 15th International Information Security Conference, August 2000. Google ScholarDigital Library
- J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. SAVE: Source Address Validity Enforcement Protocol. In Proceedings of INFOCOM 2002, June 2002. to appear.Google Scholar
- R. Mahajan, S. Bellovin, S. Floyd, V. Paxson, and S. Shenker. Controlling high bandwidth aggregates in the network. ACM Computer Communications Review, 32(3), July 2002. Google ScholarDigital Library
- G. R. Malan, D. Watson, F. Jahanian, and P. Howell. Transport and Application Protocol Scrubbing. In Proceedings of INFOCOM 2000, pages 1381--1390, 2000.Google ScholarCross Ref
- Mazu Networks. Mazu Technical White Papers. http://www.mazunetworks.com/white_papers/.Google Scholar
- McAfee. Personal Firewall. http://www.mcafee.com/myapps/firewall/ov_firewall.aspGoogle Scholar
- C. Meadows. A formal framework and evaluation method for network denial of service. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, June 1999. Google ScholarDigital Library
- J. Mirkovic. D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks. PhD thesis, University of California Los Angeles, August 2003. Google ScholarDigital Library
- J. Mirkovic, G. Prier, and P. Reiher. Attacking DDoS at the Source. In Proceedings of the ICNP 2002, November 2002. Google ScholarDigital Library
- D. Moore. The spread of the code red worm (crv2). http://www.caida.org/analysis/security/codered/coderedv2_analysis.xml.Google Scholar
- D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 2001 USENIX Security Symposium, 2001. Google ScholarDigital Library
- R. Naraine. Massive DDoS Attack Hit DNS Root Servers, October 2002. http://www.esecurityplanet.com/trends/article/0,10751_1486981,00.html.Google Scholar
- National Infrastructure Protection Center. Advisory 01-014: New Scanning Activity (with W32-Leave.worm) Exploiting SubSeven Victims, June 2001. http://www.nipc.gov/warnings/advisories/2001/01-014.htm.Google Scholar
- E. O'Brien. NetBouncer : A practical client legitimacy-based DDoS defense via ingress filtering. http://www.nai.com/research/nailabs/development-solutions/netbouncer.asp.Google Scholar
- K. Park and H. Lee. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In Proceedings of ACM SIGCOMM 2001, August 2001. Google ScholarDigital Library
- V. Paxson. An analysis of using reflectors for distributed denial-of-service attacks. ACM Computer Communications Review (CCR), 31(3), July 2001. Google ScholarDigital Library
- V. Razmov. Denial of Service Attacks and How to Defend Against Them. http://www.cs.washington.edu/homes/valentin/ papers/DoSAttacks.pdf.Google Scholar
- SANS Institute. NAPTHA: A new type of Denial of Service Attack, December 2000. http://rr.sans.org/threats/naptha2.php.Google Scholar
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of ACM SIGCOMM 2000, August 2000. Google ScholarDigital Library
- C. Schuba, I. Krsul, M. Kuhn, G. Spafford, A. Sundaram, and D. Zamboni. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997. Google ScholarDigital Library
- S. Dietrich, N. Long, and D. Dittrich. An Analysis of the "shaft" distributed denial of service tool. In Proceedings of LISA 2000, 2000. http://www.adelphi.edu/ spock/shaft-lisa2000.pdf. Google ScholarDigital Library
- A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-Based IP Traceback. In Proceedings of ACM SIGCOMM 2001, August 2001. Google ScholarDigital Library
- D. X. Song and A. Perrig. Advanced and authenticated marking schemes for IP Traceback. In Proceedings of IEEE Infocom 2001, 2001.Google Scholar
- Sourcefire. Snort: The Open Source Network Intrusion Detection System.Google Scholar
- O. Spatscheck and L. L. Petersen. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 3rd Symposium on Operating Systems Design and Implementation, February 1999. Google ScholarDigital Library
- S. Staniford, J. Hoagland, and J. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2), 2002. Google ScholarDigital Library
- S. Staniford, V. Paxson, and N. Weaver. How to own the internet in your spare time, 2002. In Proceedings of the 11th USENIX Security Symposium. Google ScholarDigital Library
- Tripwire. Tripwire for servers. http://www.tripwire.com/products/servers/.Google Scholar
- N. Weaver. Warhol Worm. http://www.cs.berkeley.edu/nweaver/worms.pdf.Google Scholar
- M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In 18th Annual Computer Security Applications Conference, December 2002. Google ScholarDigital Library
- J. Yan, S. Early, and R. Anderson. The XenoService - A Distributed Defeat for Distributed Denial of Service. In Proceedings of ISW 2000, Oct. 2000.Google Scholar
- V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: Global characteristics and prevalence. In In Proceedings of the 2003 ACM SIGMETRICS International conference on Measurement and Modeling of Computer Systems, pages 138--147, 2003. Google ScholarDigital Library
- Y. L. Zheng and J. Leiwo. A Method to Implement a Denial of Service Protection Base. In Information Security and Privacy, volume 1270 of LNCS, pages 90--101, 1997. Google ScholarDigital Library
Recommendations
A comprehensive categorization of DDoS attack and DDoS defense techniques
ADMA'06: Proceedings of the Second international conference on Advanced Data Mining and ApplicationsDistributed Denial of Service (DDoS) attack is the greatest security fear for IT managers. With in no time, thousands of vulnerable computers can flood victim website by choking legitimate traffic. Several specific security measurements are deployed to ...
DDoS attacks and defense mechanisms: classification and state-of-the-art
Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
DDoS defense mechanisms: a new taxonomy
DPM'09/SETOP'09: Proceedings of the 4th international workshop, and Second international conference on Data Privacy Management and Autonomous Spontaneous SecurityEver expanding array of schemes for detection and prevention of Distributed Denial of Service (DDoS) attacks demands for a constant review and their categorization. As detection techniques have existed for a relatively longer period of time than defense ...
Comments